Revision as of 17:20, 7 April 2009

Description

XPath is a type of query language that describes how to locate specific elements (including attributes, processing instructions,
etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath
can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries.

More information may be found in the article dedicated to XPATH Injection. Using an XPATH Injection attack the attacker is able to log in to the system without entering valid login and password. If he wants to know information about other users he must take one step further. When conducting a Blind XPath Injection attack, the attacker has no knowledge about the structure of the XML document. However his situation is better compared to Blind SQL Injection, because there are functions which allow for performing tests (XML Crawling) and in the end getting to know the document structure.

Risk Factors

TBD

Examples

The attacker may be successful using two methods: Boolenization and XML Crawling. By adding to the XPath syntax, the attacker uses additional expressions (replacing what the attacker entered in the place of login to the specially crafted expression).

Boolenization

Using the "Boolenization" method the attacker may find out if the given XPath expression is True or False. Let's assume that the aim of the attacker is to log in to the account. Successfull log in would equal "True" and failed log in attempt would equal "False". Only a smart portion of the information is analyzed "character" or the number. When the attacker focuses on the string he may reveal it in its entirety by checking every single character within the class/range of characters this string belongs to.

Using a string-length(S) function, where S is a string, the attacker may find out the length of this string. With the appropriate number of substring(S,N,1) function iterations, where S is a previously mentioned string, N is a start character, and "1" is a next character counting from N character, the attacker is able to find out the whole string.

Username: ' or substring((//user[position()=1]/child::node()[position()=2]),1,1)="a" or ''='

The XPath syntax may remind you of common SQL Injection attacks but the attacker must consider that this language disallows commenting
out the rest of expresssion. To omit this limitation the attacker should use OR expressions to void all expressions, which may disrupt the attack.

Because of Boolenization the number of queries, even within a small XML document, may be very high (thousands, houndred of thousands and more). That is why this attack is not conducted manually. Knowing few basic XPath functions the attacker is able to write an application in a short time, which will rebuild the structure of the document and will fill it with data by itself.